On a FreeBSD 14.3 VM, after upgrading Webmin 2.501 to 2.510 and installing Virtualmin 7.40.1 gpl-1, logging into Webmin triggers an outgoing DNS query storm to the locally configured domain zone forwarders. Each DNS query uses a new sending port number so each query starts a new communication session. This quickly reaches the 3200 session limit per host enforced by our Internet gateway, which then blocks communications from the VM.

An example of the DNS queries reported by running sudo dnstop -46QR -l 6 -r 1 em0 shortly after logging into Webmin are:

Queries: 16 new, 1986 total
Current Date and Time
Replies: 16 new, 1986 total

Query Name                            Count      %   cum%
--------------------------------- --------- ------ ------
X.Y.Z.d.f.ip6.arpa                      984   49.5   49.5
XX.X.10.10.in-addr.arpa                 492   24.8   74.3
XX.XY.10.10.in-addr.arpa                492   24.8   99.1
www.webmin.com                            4    0.2   99.3
announce.webmin.com                       4    0.2   99.5
hostname.tld                              3    0.2   99.6
webmin.com                                2    0.1   99.7
www.webmin.com.searchdomain.com           2    0.1   99.8
announce.webmin.com.searchdomain.com      2    0.1   99.9
webmin.com.searchdomain.com               1    0.1  100.0

The dnstop refresh rate was set to one second by the -r 1 option in the command line above. Sixteen new DNS queries were reported each second. The first three URIs which were the subject of hundreds of DNS queries cannot be resolved by the queries being sent to the configured public domain zone forwarders because the URIs identify addresses that can only be local. The last three URLs which were the subject of one or two DNS queries can never be resolved because the three webmin.com FQDNs are prepended to the search domain supplied by the local DHCP server, and that domain is not configured with a wildcard record in our authoritative DNS servers. All DNS queries are being sent to port 53.

The FreeBSD VM has two Ethernet interfaces which are each assigned an IPv4 address by the local DHCP server within two different local subnets within the 10.10.X.X address space. NSD is our authoritative DNS server for our own domains listening on the public network interfaces. BIND provides local DNS recursive resolution and caching listening on the localhost addresses. The list of domain zone forwarder URLs is included in the FreeBSD system (resolvconf.conf) configuration and in the BIND (named.conf) configuration. It is not apparent which list of domain zone forwarder URLs is being used for the reported DNS queries.